Replies: 4 comments
-
With the default configuration, each container is connected to a Docker bridge network Docker containers are isolated from the local network unless you specifically configure them to use the host network. This isolation is part of Docker's design to ensure that containerized applications run in a predictable and secure environment. You have two options:
Solution 1 Example: Pay attetion to these lines: Also comment out the port and networks in zerotier. version: "3.1"
services:
postgres:
image: postgres:15.2-alpine
container_name: postgres
restart: unless-stopped
ports:
- 5432:5432
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: ztnet
volumes:
- postgres-data:/var/lib/postgresql/data
networks:
- app-network
zerotier:
image: zyclonite/zerotier:1.12.2
hostname: zerotier
container_name: zerotier
restart: unless-stopped
volumes:
- zerotier:/var/lib/zerotier-one
cap_add:
- NET_ADMIN
- SYS_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
network_mode: "host"
# networks:
# - app-network
# ports:
# - "9993:9993/udp"
environment:
- ZT_OVERRIDE_LOCAL_CONF=true
ztnet:
image: sinamics/ztnet:latest
container_name: ztnet
working_dir: /app
volumes:
- zerotier:/var/lib/zerotier-one
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
ports:
- 3000:3000
environment:
ZT_ADDR: http://10.0.0.214:9993
POSTGRES_HOST: postgres
POSTGRES_PORT: 5432
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: postgres
NEXTAUTH_URL: "https://my_awesome_ztnet.com"
NEXTAUTH_SECRET: "random_secret"
networks:
- app-network
links:
- postgres
depends_on:
- postgres
- zerotier
volumes:
zerotier:
postgres-data:
networks:
app-network:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.31.255.0/29
If you type |
Beta Was this translation helpful? Give feedback.
-
Ahhh wow very helpful explanation! Reading your response and seeing the config file with networks commented out pulls it together for me. I am still learning the ins and outs of networking with Docker so this is very new to me and I appreciate your patience explaining it to me. I'm going to change my tune now, though. Rather than "getting it to work" the same way my current setup is, I'd much rather fully use it as you intended. I enjoy the ztnet UI and options I have to implement things like flow rules, tags, and other settings outside of using the command line. I love what you're doing here and want to keep with that vision. So, if you would be so kind as to share with me how you'd implement a solution for my situation, I'd appreciate it (I'll try to keep it short). I am volunteering to do dev / IT work for a spiritual/religious organization. I set them up with a NAS (synology) that is self-hosting a zerotier controller as well as Vaultwarden. We want to host more services, and the NAS hardware isn't really enough, so I got them a second server running Ubuntu 22.04.3 which will be the new host for the controller and all other web-based services (the NAS will only be for storage). So, there are two servers, the Synology NAS, and the Ubuntu box running zerotier and all other services. What would be your preferred way to set this up using ztnet? The most simple solution that comes to mind is to do a basic installation of zerotier on the Ubuntu box (not in a docker container), in addition to having ztnet in the docker containers. Then to just have it join the controller hosted in the setup of the ztnet containers. Or, if you have an ideal setup for utilizing ztnet in this situation that's different from what I laid out above, I'd love to hear it. |
Beta Was this translation helpful? Give feedback.
-
Glad to hear you enoying ztnet. 🎉
It's important to note that you cannot install Zerotier on the host and run ztnet in Docker simultaneously without conflicts, as they both use port 9993 on the host
There is probably a ton of other ways, but these are "top of my head" |
Beta Was this translation helpful? Give feedback.
-
Thanks for your insights! I decided to go w/route 4 (your preferred choice). Proxmox has been on my radar for some months now but I felt like it was possibly overkill or that I'd be overwhelmed trying to figure it all out. Well, I think I'm in pretty good shape now, but it wasn't easy hahaha. I'll share in case it helps anyone. I installed proxmox on the server that was hosting the web services. That required a reformat of the hard drive and starting all over. I set up the 2 VM's (right now) one for ztnet and one for the Ubuntu install hosting the services. This was actually MUCH easier than I thought it would be. ztnet works as desired, joining worked and managing adding members was great. I loved setting up the flow rules right in the ztnet UI. I have a couple of questions I'll ask at the end. What took me three days to finally figure out properly was how to secure the whole setup. The NAS has its own firewall, so that was good. I wanted to secure the VM w/ ztnet as well as the one hosting the services. I was able to use the proxmox firewall to secure the ztnet VM, and tried the same for the services VM. That's where things got difficult. Zerotier completely bypassed the proxmox firewall. My assumption here is that the network interface that Zerotier makes and uses is what prevents the proxmox firewall from doing its job. The firewall rules worked from the local network (192.168.1.x) but not when connecting through the Zerotier network. After much tinkering around, I decided to just try to set up ufw on the VM itself - but I knew that came with its own challenges since docker bypasses ufw rules by default. Fortunately someone created a tool to help using ufw with zerotier ( https://github.com/chaifeng/ufw-docker ). I tried using that but at first it didn't seem like it was working at all. There were two reasons - one was that I had to disable the firewall on the VM from proxmox. The other was that the ufw-docker tool allows all traffic from 192.1.x and 10.0.x since they are considered 'private' networks. So, I had to comment out some of the rules included it its 'after.rules' updates to not allow those networks, while leaving the ones that allow docker containers to contact the host machine. After doing that, I wanted to add rules to only allow access to the ports that the services use, and only from the IPs on zerotier and the local network. Unfortunately the ufw-docker tool doesn't work with specifying IP addresses or ranges, so I had to reverse engineer what it was doing by adding a couple of fake rules for containers, figuring out the commands to create those rules (which it does share, thank goodness). It uses the IP addresses of the containers, so I also had to figure those out. So, as it stands now, to open up access to a service I need to find the IP of the container, then add two rules allowing access to the port from the LAN and the Zerotier network. Phew, took a few days, but it seems to be working as I want it to now! Now, as far as ztnet - I do have two questions @sinamics . One is that I cannot figure out how to get mail SMTP to work with SSL. If you go to the mail settings page ( http://192.168.1.xxx:3000/en/admin/?tab=mail-setting ) there's the 'Use SSL' checkbox. I have mail working without it checked, but not with it checked. When it is checked, I receive a 500 internal service error. My browser console has the following: {
"input": {
"type": "forgotPasswordTemplate"
},
"result": {
"meta": {
"response": {},
"responseJSON": [
{
"error": {
"json": {
"message": "001813BB167F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:355:\n",
"code": -32603,
"data": {
"code": "INTERNAL_SERVER_ERROR",
"httpStatus": 500,
"path": "admin.sendTestMail",
"zodError": null
}
}
}
}
]
},
"shape": {
"message": "001813BB167F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:355:\n",
"code": -32603,
"data": {
"code": "INTERNAL_SERVER_ERROR",
"httpStatus": 500,
"path": "admin.sendTestMail",
"zodError": null
}
},
"data": {
"code": "INTERNAL_SERVER_ERROR",
"httpStatus": 500,
"path": "admin.sendTestMail",
"zodError": null
},
"name": "TRPCClientError"
},
"elapsedMs": 108,
"context": {}
} I'd assume that this is because ztnet is not running on SSL itself. I do not connect over https, only http. I'm not sure if there's some way to use a certificate that is issued by my own CA to secure it, but I'd love to do that if possible. Any thoughts here? The other questions I have are related to DNS / Zeronsd. I see in other conversations that there isn't really a strong desire from the community for the ability to have the ztnet setup work with Zeronsd, but I personally would love it. I did see your recent release of the ability to use a script to create the needed entries to a hosts file ( #207 ) but I'm under the impression that this would have to be provided to every client - is that correct? Or am I misunderstanding? It's a little beyond the people I am doing this for to edit a hosts file, but if this somehow works in a centralized manner I'd be all for it. As far as Zeronsd goes, it looks like about a year ago they merged a PR ( zerotier/zeronsd@6d3e2e4 ) to be able to set a custom base path. Zeronsd also needs an API key to work against the central zerotier instance. I see that in ztnet on the user settings page we can create api tokens. Is this a potential route to get zeronsd to work with ztnet? Configure zeronsd to use the IP address that we have ztnet running on, supply an api token we generate in ztnet, and have it work? DNS is another I've tinkered with but a full implementation would be above my head. After dealing with the whole virtualization / firewall stuff I'd love to have an easy way to do DNS, but now that I have proxmox I guess I could set up a VM to host the DNS server and try to do it all manually that way. Would love to know your thoughts. |
Beta Was this translation helpful? Give feedback.
-
📝 Describe the Problem You Are Having
I am unable to connect to services that are being hosted on the same machine that ztnet and Zerotier are. My test is with a instance of Vaultwarden I have running on the server. Both Vaultwarden, and ztnet are running in Docker containers on the server, set up through Portainer.
When on the local network, I can connect to Vaultwarden using the IP address of the machine assigned by the router (192.168.1.132) but cannot access it via the IP assigned by Zerotier. I can ping both IPs without any issue.
I was helped in this issue ( #119 (comment) ) getting the Zerotier node to join the controller on its own machine and it's apparent that there may be some networking things that I do not understand about this setup.
I currently run Zerotier a different local machine using ztncui in this fashion. A self-hosted Zerotier controller is on the machine with ztncui; the node joined its own network; and I have services running on the machine which I am able to access without issue.
Something about the ztnet setup preventing me from connecting to these services using the IP address assigned by Zerotier. Is this something that I can make possible using the configuration provided by ztnet?
🔖 Version
Latest ( ID sha256:6a7ec8eb9744993a8ddf776014afbe2dabb53b82719a3b1a40406167f1788037 )
📋 Docker Logs
💻 Operating System
Ubuntu
📚 Any Other Information That May Be Helpful
No response
Beta Was this translation helpful? Give feedback.
All reactions